You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Verify signature keyless
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:69: error during command execution: no matching signatures: cert verification failed: x509: certificate specifies an incompatible key usage. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
Setting SIGSTORE_ROOT_FILE to the CA or full chain does not help either. Am I missing something?
I'm using cosign v2.2.4 right now.
The text was updated successfully, but these errors were encountered:
Your key usages are also overspecified, the root only needs "cert sign" (and possibly "crl sign" if you're issuing CRLs), same with the intermediate. The intermediate also must specify "code signing" per EKU chaining.
Question
Hey folks, I'm working on a BYOPKI verification example in: https://github.com/saschagrunert/byopki/blob/main/run
It does:
https://github.com/saschagrunert/byopki/blob/ad923ea/run#L23-L164
https://github.com/saschagrunert/byopki/blob/ad923ea/run#L166-L174
cosign generate
andcosign attach
to sign the image:https://github.com/saschagrunert/byopki/blob/ad923ea/run#L178-L189
cosign verify … --key
, which works:https://github.com/saschagrunert/byopki/blob/ad923ea/run#L191-L195
https://github.com/saschagrunert/byopki/blob/ad923ea/run#L197-L203
With:
Setting
SIGSTORE_ROOT_FILE
to the CA or full chain does not help either. Am I missing something?I'm using cosign v2.2.4 right now.
The text was updated successfully, but these errors were encountered: